Black Friday is now a big event in the retail calendar. But where there are profits to be made, there’s also a heightened risk of cyberattacks.
Black Friday is bigger than ever, with this year’s spending expected to bring in over $12 billion of revenue across the US alone over the course of the week. It’s an exciting time for retailers and shoppers alike as the extended holiday season, particularly in US and Europe, starts with a boom. But, where there are profits to be made, criminals lurk. Black Friday and Cyber Monday present lucrative opportunities for hackers and social engineering scammers. To mitigate the risks and reap the gifts of the season, retailers need to up their defences.
Cybercriminals usually follow the money. According to the 2019 Data Breach Investigations report by Verizon, 71 percent of attacks are financially motivated. It’s easy to get distracted during the excitement of the holiday season, but it’s also a time when as a business, you can’t afford to let your guard down. While the potential financial damage of a cyberattack is now widely known, it’s important to reiterate the damages: lost sales, erosion of brand reputation, and even legal sanctions in cases where retailers fail to meet compliance regulations like GDPR in the EU region. During Black Friday and Cyber Monday, the stakes are higher than ever.
How social engineering scammers exploit Black Friday
Most of us expect our inboxes to be flooded with promotional messages during the holiday season. As people hunt for bargains, social engineering scammers are stepping up attacks to take advantage when consumers are more distracted than usual. While retail-related scams plague the internet throughout the year, scammers often up their game during Black Friday and Cyber Monday. These events give them extra cover as retailers are more likely to be distracted serving the influx of customers – both online and in-store. It’s not just phishing emails masquerading as ones sent by legitimate retailers that people have to worry about either: smart scammers often launch malicious websites for the occasion to give credibility to their subterfuge operations.
Warnings to look out for spoofed emails and websites abound. It isn’t helped by the fact that legitimate businesses routinely use the season to instil a sense of urgency with time-limited offers and low prices that are hard to turn down. Scammers know this, so they use exactly the same tactics to dupe their victims into taking a desired action, sometimes masquerading under the guises of well-known retailers like Walmart or Target.
Why retailers need to pay attention too
Most of the cybersecurity advice leading up to the post-Thanksgiving shopping extravaganza is aimed at consumers themselves, but there are two sides to every transaction. Sellers are also at risk, especially now that Black Friday is making its way into deals aimed at the B2B world. But retailers also have a duty to protect their customers from scams too. Social engineering attacks depend on the ability of scammers to convince would-be victims of their authenticity. That means they’re likely to be using the branding of a legitimate retailer, even to the point of duplicating their promotional efforts outright.
If an attacker is masquerading as a representative of your brand, it hardly reflects well on you, even if you’re not to blame. Many consumers are wary about who they trust with their personal and payment information. As such, if someone falls victim to a phishing scam launched by someone purporting to be from your company, chances are your reputation will suffer too. After all, if your brand becomes associated with a spate of Black Friday phishing scams, it’s going to leave a bad impression, even if you’re entirely innocent of any wrongdoing. That’s why retailers have an ethical and business duty to proactively protect their customers.
During the holiday season, there’s also a greater likelihood of retailers being attacked directly. As the attention of your business focuses on accommodating the proverbial stampede of shoppers, there’s a good chance you could be too distracted to notice attacks in progress. When that happens, hackers might target your website to lead online shoppers to malicious clones to try to steal personal or payment information.
Attackers may plant malicious links and code wherever they think consumers might click, such as in branded websites and mobile apps. Others might set up fake websites and social media profiles from scratch. Social media and business email are also popular attack vectors. By compromising your employees’ accounts, attackers can greatly increase their reach and effectiveness. It doesn’t get much more serious than hackers targeting your digital assets and people to launch social engineering scams against your own customers.
How can you protect your business and your customers?
While the same information security rules and guidelines apply to Black Friday as they do at any other time of the year, it pays to be especially vigilant during the holiday season. It’s essential to take a proactive approach to let people know that you’re one step ahead of the threats. This in itself is an important value proposition that drives business growth rather than just taking care of the necessary. For example, if your customers are being targeted by a scammer masquerading as someone from your company, you’re going to need to start sending out emails telling them to be on their guard.
You cannot, and should not, wait for customers to alert you to such scams. Instead, you need to proactively hunt for them yourself. You need to find and isolate any scams masquerading under your brand and lock down any online accounts that might have been compromised before they have a chance to cause irreparable damage. To do that, you need a way to look beyond conventional perimeter security measures and lockdown your social media and other online endpoints. You also need to monitor the web around the clock to increase your chances of detecting any fake websites or other assets masquerading as ones belonging to your brand. Investing in threat intelligence, or launching a Security Operations Center, are two ways to tackle this. Another important step is to monitor the dark web, where criminals sell stolen data and other assets. If scammers are selling intellectual property or stealing data from you or your customers, the dark web is where it’s most likely to appear.
Online retailers should warn their customers in the lead up to Black Friday, since they face many threats that are beyond their direct control. Educate customers on how to detect common characteristics of social engineering scams, such as poor spelling and grammar, or requests for confidential information to be sent by email. This is also a good opportunity to remind them of your own security and privacy procedures. Let your customers know what you’re doing to combat the threats, and what they can do to have a safer online shopping experience. If you know of any threats targeting your customers specifically, now’s the time to forewarn them. Your customers will appreciate your transparency and this helps to build trust in your brand.
Another often-overlooked threat during the holiday season are DDoS attacks (distributed denial of service), in which hackers bombard servers with requests until they slow to a crawl or even crash. While not necessarily directly financially motivated, these attacks are often carried out by ruthless competitors, state actors or hacktivists to cause damage to financial and reputational damage to businesses. Since you don’t want your online store being taken offline on a landmark retail day like Cyber Monday, make sure you have DDoS protection.
Protect your business this Black Friday
While these Black Friday security challenges are undeniable, overcoming them will help make the holiday season more profitable for your business and safer for your customers.